From 9ed4c08d8c03f8d12586c25cddc33da92a20c218 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 22 Feb 2022 10:48:18 +0100
Subject: surtr: tls/dns: rfc2136 for rheperire.org

---
 hosts/surtr/tls/default.nix | 156 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 156 insertions(+)
 create mode 100644 hosts/surtr/tls/default.nix

(limited to 'hosts/surtr/tls/default.nix')

diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
new file mode 100644
index 00000000..a1548feb
--- /dev/null
+++ b/hosts/surtr/tls/default.nix
@@ -0,0 +1,156 @@
+{ config, lib, customUtils, pkgs, ... }:
+
+with lib;
+
+let
+  inherit (customUtils) mapFilterAttrs;
+
+  tsigSecretName = domain: "${domain}_tsig-secret";
+
+  cfg = config.security.acme;
+  knotCfg = config.services.knot;
+  
+  knotDNSCredentials = domain: let
+    zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone;
+  in pkgs.writeText "lego-credentials" ''
+    EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
+    EXEC_PROPAGATION_TIMEOUT=300
+    EXEC_POLLING_INTERVAL=5
+  '';
+  knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
+    #!${pkgs.zsh}/bin/zsh -xe
+
+    mode=$1
+    fqdn=$2
+    challenge=$3
+
+    owner=''${fqdn%".${zone}."}
+
+    commited=
+    function abort() {
+      [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
+    }
+
+    ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
+    trap abort EXIT
+
+    case "''${mode}" in
+      present)
+        if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then
+          ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
+        fi
+        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
+        ;;
+      cleanup)
+        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
+        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
+        ;;
+      *)
+        exit 2
+        ;;
+    esac
+
+    ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
+    commited=yes
+  '';
+  
+  domainOptions = {
+    options = {
+      wildcard = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      zone = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      certCfg = mkOption {
+        type = types.attrs;
+        default = {};
+      };
+    };
+  };
+in {
+  options = {
+    security.acme = {
+      domains = mkOption {
+        type = types.attrsOf (types.submodule domainOptions);
+        default = {};
+      };
+    };
+  };
+  
+  config = {
+    security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; });
+    
+    fileSystems."/var/lib/acme" =
+      { device = "surtr/safe/var-lib-acme";
+        fsType = "zfs";
+      };
+
+    security.acme = {
+      acceptTerms = true;
+      preliminarySelfsigned = true; # DNS challenge is slow
+      defaults = {
+        email = "phikeebaogobaegh@141.li";
+        keyType = "rsa4096"; # we don't like NIST curves
+        # extraLegoFlags = ["--preferred-chain" "ISRG Root X1"];
+      };
+      certs =
+        let
+          domainAttrset = domain: let
+            tsigPath = ./tsig_keys + "/${domain}";
+            tsigSecret = config.sops.secrets.${tsigSecretName domain};
+            isTsig = pathExists tsigPath;
+            shared = {
+              inherit domain;
+              extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
+              dnsResolver = "127.0.0.1:5353";
+            };
+            mkKnotc = shared // {
+              dnsProvider = "exec";
+              credentialsFile = knotDNSCredentials domain;
+            };
+            mkRFC2136 = let
+              tsigInfo = readYaml tsigPath;
+            in shared // {
+              dnsProvider = "rfc2136";
+              credentialsFile = pkgs.writeText "${domain}_credentials.env" ''
+                RFC2136_NAMESERVER=127.0.0.1:53
+                RFC2136_TSIG_ALGORITHM=hmac-sha256.
+                RFC2136_TSIG_KEY=${domain}_acme
+                RFC2136_TSIG_SECRET_FILE=${tsigSecret.path}
+                RFC2136_PROPAGATION_TIMEOUT=300
+                RFC2136_POLLING_INTERVAL=5
+                RFC2136_TTL=300
+              '';
+            };
+          in  // cfg.domains.${domain}.certCfg;
+        in genAttrs (attrNames cfg.domains) domainAttrset;
+    };
+
+    sops.secrets = let
+      toTSIGSecret = n: v:
+        if v == "regular" || v == "symlink"
+        then nameValuePair (tsigSecretName n) {
+          format = "binary";
+          owner = if config.security.acme.useRoot then "root" else "acme";
+          group = "acme";
+          sopsFile = ./tsig_keys + "/${n}";
+        } else null;
+    in mapFilterAttrs (_: v: v != null) toTSIGSecret (readDir ./tsig_keys);
+
+    systemd.services =
+      let
+        serviceAttrset = domain: {
+          after = [ "knot.service" ];
+          bindsTo = [ "knot.service" ];
+          serviceConfig = {
+            ReadWritePaths = ["/run/knot/knot.sock"];
+            SupplementaryGroups = ["knot"];
+            RestrictAddressFamilies = ["AF_UNIX"];
+          };
+        };
+      in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
+  };
+}
-- 
cgit v1.2.3